My Application Load Balancer’s security policy lists RSA and ECDSA ciphers. But when I connect to my load balancer, I see only RSA ciphers selected.
Short description
You can configure an Application Load Balancer HTTPS listener with multiple certificates. However, it requires a security policy. Each security policy contains ciphers for both RSA and ECDSA cryptographic algorithms. During the TLS handshake, the Application Load Balancer uses selection process logic to determine which Application Load Balancer certificate to use for the HTTPS connection. If the chosen certificate is created with RSA or ECDSA (elliptic curve) keys, then the Application Load Balancer uses RSA or ECDSA ciphers for encryption.
Resolution
To use ECDSA ciphers with your Application Load Balancer, complete the following steps:
Create or import a new ECDSA certificate to ACM and bind it to an HTTPS listener
Create a new ECDSA certificate
First, determine your certificate requirements. Then, request an ECDSA certificate from AWS Certificate Manager (ACM).
Import the ECDSA certificate to ACM
After you work with your certificate authority to get the ECDSA certificate for your domain in .pem format, import your new ECDSA certificate to ACM.
After you create or import your ECDSA certificate to ACM, associate your certificate with your Application Load Balancer.
(Optional) Test your load balancer’s TLS listener for supported ciphers
To test which protocols and ciphers are used, use an open source command line tool, such as sslscan.
Note: Using sslscan lets you get complete information for all ciphers without using an additional third-party utility. For example, if you use curl, then you must specify individual cipher suites. These require separate curl requests that specify TLS protocols and cipher suites.
You can install and run the sslscan command on any Amazon Elastic Compute Cloud (Amazon EC2) Linux instance or from your local system. Make sure that the load balancer that you want to test accepts TLS connections from your source IP address.
To use sslscan on an Amazon Linux EC2 instance, complete the following steps:
1. Activate the Extra Packages for Enterprise Linux (EPEL) repository.
2. Install sslscan on your Amazon EC2 Linux instance:
sudo yum install sslscan
3. To scan your Application Load Balancer for supported ciphers, run the following command. Replace example.com with your domain name:
[ec2-user@ ~]$ sslscan --show-ciphers example.com | grep Accepted
Here's an example output that shows the results of running a vulnerability scan on your Application Load Balancer. In this example, the load balancer uses a P-256 ECDSA certificate and default security policy:
Accepted TLSv1 256 bits ECDHE-ECDSA-AES256-SHA
Accepted TLSv1 128 bits ECDHE-ECDSA-AES128-SHA
Accepted TLS11 256 bits ECDHE-ECDSA-AES256-SHA
Accepted TLS11 128 bits ECDHE-ECDSA-AES128-SHA
Accepted TLS12 256 bits ECDHE-ECDSA-AES256-GCM-SHA384
Accepted TLS12 256 bits ECDHE-ECDSA-AES256-SHA384
Accepted TLS12 256 bits ECDHE-ECDSA-AES256-SHA
Accepted TLS12 128 bits ECDHE-ECDSA-AES128-GCM-SHA256
Accepted TLS12 128 bits ECDHE-ECDSA-AES128-SHA256
Accepted TLS12 128 bits ECDHE-ECDSA-AES128-SHA
The following example output features a load balancer with an RSA 2048 certificate and default security policy:
Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLS11 256 bits ECDHE-RSA-AES256-SHA
Accepted TLS11 256 bits AES256-SHA
Accepted TLS11 128 bits ECDHE-RSA-AES128-SHA
Accepted TLS11 128 bits AES128-SHA
Accepted TLS12 256 bits ECDHE-RSA-AES256-GCM-SHA384
Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA384
Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA
Accepted TLS12 256 bits AES256-GCM-SHA384
Accepted TLS12 256 bits AES256-SHA256
Accepted TLS12 256 bits AES256-SHA
Accepted TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA256
Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA
Accepted TLS12 128 bits AES128-GCM-SHA256
Accepted TLS12 128 bits AES128-SHA256
Accepted TLS12 128 bits AES128-SHA
If you correctly configured your ECDSA certificate on your Application Load Balancer, then your output shows the negotiated ECDHE-ECDSA-* cipher suites. If your output shows other cipher suites, then review and update your Application Load Balancer security policy.